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ICO consultation on the draft updated data sharing 
code of practice 


Data sharing brings important benefits to organisations and individuals, 
making our lives easier and helping to deliver efficient services. 


It is important, however, that organisations which share personal data 
have high data protection standards, sharing data in ways that are fair, 
transparent and accountable. We also want organisations to be confident 
when dealing with data sharing matters, so individuals can be confident 
their data has been shared securely and responsibly. 


As required by the Data Protection Act 2018, we are working on updating 
our data sharing code of practice, which was published in 2011. We are 
now seeking your views on the draft updated code. 


The draft updated code explains and advises on changes to data 
protection legislation where these changes are relevant to data sharing. It 
addresses many aspects of the new legislation including transparency, 
lawful bases for processing, the new accountability principle and the 
requirement to record processing activities. 


The draft updated code continues to provide practical guidance in relation 
to data sharing and promotes good practice in the sharing of personal 
data. It also seeks to allay common concerns around data sharing. 


As well as legislative changes, the code deals with technical and other 
developments that have had an impact on data sharing since the 
publication of the last code in 2011. 


Before drafting the code, the Information Commissioner launched a call 
for views in August 2018. You can view a summary of the responses and 
some of the individual responses here. 


If you wish to make any comments not covered by the questions in the 
survey, or you have any general queries about the consultation, please 


email us at datasharingcode@ico.org.uk. 


Please send us your responses by Monday 9 September 2019. 


Privacy Statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
Capacity (e.g. a member of the public). All responses from organisations 
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and individuals responding in a professional capacity will be published. We 
will remove email addresses and telephone numbers from these 
responses; but apart from this, we will publish them in full. 


For more information about what we do with personal data please see our 
privacy notice. 


Questions 


Note: when commenting, please bear in mind that, on the whole, the 
code does not duplicate the content of existing guidance on particular 
data protection issues, but instead encourages the reader to refer to the 
most up to date guidance on the ICO website. 


Qi Does the updated code adequately explain and advise on the new 
aspects of data protection legislation which are relevant to data 
sharing? 


x] Yes 


X 


No 


Q2 If not, please specify where improvements could be made. 


While the Code does clearly explain the legal requirements, there is 
some concern over the practical implementation of the Codes 
requirements particularly in the section on Data Sharing Agreements. 
For example, it is not clear whether it will be feasible and practical for 
organisations to adhere to all the requirements outlined in this section. 
Also, the guidance does not recognise that there will be situations 
where companies will share data with partners on a more routine basis 
in order to provide or deliver a service. 


Also the term “data pooling” is used in the Code. It would be useful if 
there was clarity on what is meant by this term in the Code itself and 
some examples to illustrate the points being made here within the 
Code. 


Q3 Does the draft code cover the right issues about data sharing? 
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Yes 


Q4 __siIf no, what other issues would you like to be covered in it? 


The Code adequately outlines the requirements under GDPR, 
particularly for public sector bodies. However, the Code does not 
provide enough practical assistance and guidance for how organisations 
should approach data sharing issues that could arise in new and more 
complex commercial scenarios. For example, in commercial situations 
where data is shared to be used for research purposes, particularly in 
innovative areas such as AI. There is also no guidance for organisations 
on how to address issues raised by intergroup data sharing. 


It is also suggested that the Code’s section on acquisitions or transfer of 
databases and lists could provide further guidance. In particular, to 
guide organisations looking to acquire databases of the need to ensure 
the necessary consents are in place for the data to be 
shared/transferred. It would also be useful if the Code could highlight 
the importance of ensuring the obligation to collect appropriate consent 
is contained in the contract to ensure transparency and clarity when 
databases are being sold, acquired or transferred. It is suggested that 
these additions could be included by adding extra detail to the bullet 
point on checking the records of consent to cover these points. 


Another aspect of the Code where further details would be useful is in 
situations where data is shared between controllers. It would be useful 
if the code provided data sharing examples to offer clear guidance on 
what is needed when sharing occurs in situations where there are joint 
controllers and between other controllers to controllers. 


Finally, while the Code highlights the need for organisations to make 
plans to cover “ad hoc data sharing”, it does not provide any details or 
examples of the steps that should be taken. It would be useful if the 
Code could offer guidance, or an example, on the type of steps 
organisations might take if and when ad hoc data sharing may take 
place. 


Q5 Does the draft code contain the right level of detail? 


Yes 


xX No 
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Q6 Ifno, in what areas should there be more detail within the draft 
code? 


The Code does not provide any information or guidance to organisations 
that may be subject to data protection laws in other international 
jurisdictions such as the United States. It is suggested that the draft 
Code should be amended to include links to additional ICO guidance on 
how the rights of the Code on data sharing relate to requirements under 
non EU law. 


Another area where more detail would be useful is in the section on 
data ethics and data trusts. For example, it may be useful to include 
more details on how the requirements of GDPR relate to the issues in 
this section and also some practical examples and case studies to help 
organisations in this area. 


Q7 Has the draft code sufficiently addressed new areas or 
developments in data protection that are having an impact on your 
organisation’s data sharing practices? 


O Yes 


xX No 


Q8__siIf no, please specify what areas are not being addressed, or not 
being addressed in enough detail 


The Code will be useful to organisations looking to understand their 
legal requirements under GDPR. However, it is felt that the Code could 
go further by providing organisations with more advice and guidance on 
how to practically address some of the more complex issues arising 
from new and emerging commercial uses of data. As organisations 
increasing adopt and deploy more innovative, data driven technologies 
this is likely to raise new data sharing issues and questions particularly 
in relation to the sharing of data with an increasing number of partners, 
data segmentation and ownership of outcomes derived from projects 
enabled by the sharing of different data sets. 


It would have been useful for the Code to offer practical examples and 
case studies of more innovative scenarios of where data sharing is 
happening and how key issues around data use that may arise might be 
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addressed. This could have included guidance on issues of rights and 
responsibilities for data created by a new product or service that has 
been developed based on data that has been shared between 
organisations. These are the complex issues being faced by 
organisations where the Code could have provided useful support and 
guidance. 


Q9 Does the draft code provide enough clarity on good practice in data 
sharing? 


K Yes 


O No 


Q10 If no, please indicate the section(s) of the draft code which could be 
improved, and what can be done to make the section(s) clearer. 


Q11 Does the draft code strike the right balance between recognising 
the benefits of sharing data and the need to protect it? 


O Yes 


Xx] No 


Q12 If no, in what way does the draft code fail to strike this balance? 
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As raised in our previous input, when it comes to data sharing there is 
an inherent risk aversion in both private sector organisations and public 
bodies. This prevents the proactive sharing of information. The Code 
was an opportunity to emphasise the benefits of appropriate data 
sharing, as well as the risks which need to be mitigated when data is 
shared. It is felt that the draft Code could still be strengthened further 
to raise greater awareness of the potential positive benefits of data 
sharing particularly by public sector bodies. 


While the inclusion of additional case studies and examples in the Code 
are a welcome step forward, it is suggested that additional examples 
would be useful to help support the sections of the Code that relate to 
public sector bodies, particularly in relation to the Digital Economy Act. 


Q13 Does the draft code cover case studies or data sharing scenarios 
relevant to your organisation? 


xX Yes 


O No 


Q14 Please provide any further comments or suggestions you may have 
about the draft code. 


More practically it would be useful if there was an index page (in 
addition to the contents page) at the start of the Code to help 
organisations find information on specific issues more quickly and 
easily. 


Q15 To what extent do you agree that the draft code is clear and easy 
to understand? 


L] Strongly agree 


X Agree 


Neither agree nor disagree 


O Disagree 
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Q1i6 Are you answering as: 


QO An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the public) 


L] An individual acting in a professional capacity 


X On behalf of an organisation 


O Other 


Please specify the name of your organisation: 


techUK 


Thank you for taking the time to share your views and experience. 


